diff --git a/third_party/go/patches/k8s-e2e-tests-providerless.patch b/third_party/go/patches/k8s-e2e-tests-providerless.patch
index e4f7dab..b761257 100644
--- a/third_party/go/patches/k8s-e2e-tests-providerless.patch
+++ b/third_party/go/patches/k8s-e2e-tests-providerless.patch
@@ -13,7 +13,7 @@
 limitations under the License.
 
 
-From 43752b6c34f49080de3a66b79cbcd92b214c1f01 Mon Sep 17 00:00:00 2001
+From 65e40a970e3f33f44423653767c9ca8ff792bf70 Mon Sep 17 00:00:00 2001
 From: Lorenz Brun <lorenz@nexantic.com>
 Date: Mon, 20 Jul 2020 16:50:56 +0200
 Subject: [PATCH] POC Make e2e test suite support providerless
@@ -24,6 +24,7 @@
  test/e2e/e2e.go                               |  10 -
  test/e2e/e2e_providers.go                     |  32 +
  .../framework/providers/gce/firewall_test.go  |   2 +
+ test/e2e/instrumentation/logging/imports.go   |   2 +
  .../instrumentation/monitoring/accelerator.go |   2 +
  .../monitoring/custom_metrics_deployments.go  |   2 +
  .../monitoring/custom_metrics_stackdriver.go  |   4 +-
@@ -35,7 +36,7 @@
  test/e2e/network/network_tiers.go             |   2 +
  test/e2e/network/scale/ingress.go             |   2 +
  .../network/scale/localrun/ingress_scale.go   |   2 +-
- test/e2e/network/service.go                   | 912 ----------------
+ test/e2e/network/service.go                   | 955 -----------------
  test/e2e/network/service_providers.go         | 980 ++++++++++++++++++
  test/e2e/node/recreate_node.go                |   2 +
  test/e2e/scheduling/nvidia-gpus.go            |   2 +
@@ -46,12 +47,14 @@
  test/e2e/storage/in_tree_volumes_providers.go |  46 +
  .../nfs_persistent_volume-disruptive.go       |   2 +-
  test/e2e/storage/pd.go                        |   2 +
- test/e2e/storage/persistent_volumes-gce.go    |   3 +
+ test/e2e/storage/persistent_volumes-gce.go    |   2 +
  test/e2e/storage/regional_pd.go               |   3 +
+ test/e2e/storage/utils/BUILD                  |   3 -
+ test/e2e/storage/utils/ebs.go                 |   2 +
  test/e2e/storage/volume_provisioning.go       | 527 ----------
  .../storage/volume_provisioning_providers.go  | 577 +++++++++++
  test/e2e/upgrades/nvidia-gpu.go               |   2 +
- 32 files changed, 2432 insertions(+), 2190 deletions(-)
+ 35 files changed, 2435 insertions(+), 2236 deletions(-)
  create mode 100644 test/e2e/e2e_providers.go
  create mode 100644 test/e2e/network/service_providers.go
  create mode 100644 test/e2e/storage/drivers/in_tree_providers.go
@@ -147,6 +150,16 @@
  /*
  Copyright 2018 The Kubernetes Authors.
  
+diff --git a/test/e2e/instrumentation/logging/imports.go b/test/e2e/instrumentation/logging/imports.go
+index 5dd66717db1..fc15c04bfef 100644
+--- a/test/e2e/instrumentation/logging/imports.go
++++ b/test/e2e/instrumentation/logging/imports.go
+@@ -1,3 +1,5 @@
++// +build !providerless
++
+ /*
+ Copyright 2017 The Kubernetes Authors.
+ 
 diff --git a/test/e2e/instrumentation/monitoring/accelerator.go b/test/e2e/instrumentation/monitoring/accelerator.go
 index 90047e46ea1..6fa094e6a18 100644
 --- a/test/e2e/instrumentation/monitoring/accelerator.go
@@ -226,7 +239,7 @@
  Copyright 2016 The Kubernetes Authors.
  
 diff --git a/test/e2e/network/ingress.go b/test/e2e/network/ingress.go
-index f1bce918e8f..1a37badbd7b 100644
+index 6c3b09e41f2..8485f8ce50e 100644
 --- a/test/e2e/network/ingress.go
 +++ b/test/e2e/network/ingress.go
 @@ -1,3 +1,5 @@
@@ -279,30 +292,22 @@
  	clientset "k8s.io/client-go/kubernetes"
  	"k8s.io/client-go/tools/clientcmd"
 diff --git a/test/e2e/network/service.go b/test/e2e/network/service.go
-index cce449b5e8e..db7328efbe8 100644
+index 35ac43001d2..b458347a9f9 100644
 --- a/test/e2e/network/service.go
 +++ b/test/e2e/network/service.go
-@@ -17,7 +17,6 @@ limitations under the License.
- package network
- 
- import (
--	"bytes"
- 	"context"
- 	"encoding/json"
- 	"errors"
-@@ -32,8 +31,6 @@ import (
+@@ -31,8 +31,6 @@ import (
  
  	utilnet "k8s.io/apimachinery/pkg/util/net"
  
 -	compute "google.golang.org/api/compute/v1"
 -
+ 	"k8s.io/client-go/tools/cache"
+ 
  	appsv1 "k8s.io/api/apps/v1"
- 	v1 "k8s.io/api/core/v1"
- 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-@@ -47,11 +44,9 @@ import (
- 	"k8s.io/kubernetes/test/e2e/framework"
+@@ -52,11 +50,9 @@ import (
  	e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
  	e2eendpoints "k8s.io/kubernetes/test/e2e/framework/endpoints"
+ 	e2eendpointslice "k8s.io/kubernetes/test/e2e/framework/endpointslice"
 -	e2ekubesystem "k8s.io/kubernetes/test/e2e/framework/kubesystem"
  	e2enetwork "k8s.io/kubernetes/test/e2e/framework/network"
  	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
@@ -311,7 +316,7 @@
  	e2erc "k8s.io/kubernetes/test/e2e/framework/rc"
  	e2eservice "k8s.io/kubernetes/test/e2e/framework/service"
  	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
-@@ -59,7 +54,6 @@ import (
+@@ -64,7 +60,6 @@ import (
  	"k8s.io/kubernetes/test/e2e/storage/utils"
  	testutils "k8s.io/kubernetes/test/utils"
  	imageutils "k8s.io/kubernetes/test/utils/image"
@@ -319,7 +324,7 @@
  
  	"github.com/onsi/ginkgo"
  	"github.com/onsi/gomega"
-@@ -1191,375 +1185,6 @@ var _ = SIGDescribe("Services", func() {
+@@ -1242,375 +1237,6 @@ var _ = SIGDescribe("Services", func() {
  		framework.ExpectNoError(err)
  	})
  
@@ -695,7 +700,7 @@
  	/*
  		Testname: Service, update NodePort, same port different protocol
  		Description: Create a service to accept TCP requests. By default, created service MUST be of type ClusterIP and an ClusterIP MUST be assigned to the service.
-@@ -2202,199 +1827,6 @@ var _ = SIGDescribe("Services", func() {
+@@ -2253,199 +1879,6 @@ var _ = SIGDescribe("Services", func() {
  		checkReachabilityFromPod(true, normalReachabilityTimeout, namespace, dropPod.Name, svcIP)
  	})
  
@@ -895,7 +900,7 @@
  	/*
  		Release: v1.19
  		Testname: Service, ClusterIP type, session affinity to ClientIP
-@@ -2880,350 +2312,6 @@ var _ = SIGDescribe("Services", func() {
+@@ -2999,394 +2432,6 @@ var _ = SIGDescribe("Services", func() {
  	})
  })
  
@@ -943,11 +948,18 @@
 -			framework.ExpectNoError(err)
 -
 -			// Make sure we didn't leak the health check node port.
--			threshold := 2
--			nodes, err := jig.GetEndpointNodes()
+-			const threshold = 2
+-			nodes, err := getEndpointNodesWithInternalIP(jig)
 -			framework.ExpectNoError(err)
--			for _, ips := range nodes {
--				err := TestHTTPHealthCheckNodePort(ips[0], healthCheckNodePort, "/healthz", e2eservice.KubeProxyEndpointLagTimeout, false, threshold)
+-			config := e2enetwork.NewNetworkingTestConfig(f, false, false)
+-			for _, internalIP := range nodes {
+-				err := testHTTPHealthCheckNodePortFromTestContainer(
+-					config,
+-					internalIP,
+-					healthCheckNodePort,
+-					e2eservice.KubeProxyLagTimeout,
+-					false,
+-					threshold)
 -				framework.ExpectNoError(err)
 -			}
 -			err = cs.CoreV1().Services(svc.Namespace).Delete(context.TODO(), svc.Name, metav1.DeleteOptions{})
@@ -981,17 +993,20 @@
 -		}()
 -
 -		tcpNodePort := int(svc.Spec.Ports[0].NodePort)
--		endpointsNodeMap, err := jig.GetEndpointNodes()
--		framework.ExpectNoError(err)
--		path := "/clientip"
 -
--		for nodeName, nodeIPs := range endpointsNodeMap {
--			nodeIP := nodeIPs[0]
--			ginkgo.By(fmt.Sprintf("reading clientIP using the TCP service's NodePort, on node %v: %v%v%v", nodeName, nodeIP, tcpNodePort, path))
--			content := GetHTTPContent(nodeIP, tcpNodePort, e2eservice.KubeProxyLagTimeout, path)
--			clientIP := content.String()
--			framework.Logf("ClientIP detected by target pod using NodePort is %s", clientIP)
--			if strings.HasPrefix(clientIP, "10.") {
+-		endpointsNodeMap, err := getEndpointNodesWithInternalIP(jig)
+-		framework.ExpectNoError(err)
+-
+-		dialCmd := "clientip"
+-		config := e2enetwork.NewNetworkingTestConfig(f, false, false)
+-
+-		for nodeName, nodeIP := range endpointsNodeMap {
+-			ginkgo.By(fmt.Sprintf("reading clientIP using the TCP service's NodePort, on node %v: %v:%v/%v", nodeName, nodeIP, tcpNodePort, dialCmd))
+-			clientIP, err := GetHTTPContentFromTestContainer(config, nodeIP, tcpNodePort, e2eservice.KubeProxyLagTimeout, dialCmd)
+-			framework.ExpectNoError(err)
+-			framework.Logf("ClientIP detected by target pod using NodePort is %s, the ip of test container is %s", clientIP, config.TestContainerPod.Status.PodIP)
+-			// the clientIP returned by agnhost contains port
+-			if !strings.HasPrefix(clientIP, config.TestContainerPod.Status.PodIP) {
 -				framework.Failf("Source IP was NOT preserved")
 -			}
 -		}
@@ -1028,13 +1043,13 @@
 -			framework.Failf("Service HealthCheck NodePort was not allocated")
 -		}
 -
--		ips := e2enode.CollectAddresses(nodes, v1.NodeExternalIP)
+-		ips := e2enode.CollectAddresses(nodes, v1.NodeInternalIP)
 -
 -		ingressIP := e2eservice.GetIngressPoint(&svc.Status.LoadBalancer.Ingress[0])
 -		svcTCPPort := int(svc.Spec.Ports[0].Port)
 -
--		threshold := 2
--		path := "/healthz"
+-		const threshold = 2
+-		config := e2enetwork.NewNetworkingTestConfig(f, false, false)
 -		for i := 0; i < len(nodes.Items); i++ {
 -			endpointNodeName := nodes.Items[i].Name
 -
@@ -1053,15 +1068,21 @@
 -
 -			// HealthCheck should pass only on the node where num(endpoints) > 0
 -			// All other nodes should fail the healthcheck on the service healthCheckNodePort
--			for n, publicIP := range ips {
+-			for n, internalIP := range ips {
 -				// Make sure the loadbalancer picked up the health check change.
 -				// Confirm traffic can reach backend through LB before checking healthcheck nodeport.
 -				e2eservice.TestReachableHTTP(ingressIP, svcTCPPort, e2eservice.KubeProxyLagTimeout)
 -				expectedSuccess := nodes.Items[n].Name == endpointNodeName
 -				port := strconv.Itoa(healthCheckNodePort)
--				ipPort := net.JoinHostPort(publicIP, port)
--				framework.Logf("Health checking %s, http://%s%s, expectedSuccess %v", nodes.Items[n].Name, ipPort, path, expectedSuccess)
--				err := TestHTTPHealthCheckNodePort(publicIP, healthCheckNodePort, path, e2eservice.KubeProxyEndpointLagTimeout, expectedSuccess, threshold)
+-				ipPort := net.JoinHostPort(internalIP, port)
+-				framework.Logf("Health checking %s, http://%s/healthz, expectedSuccess %v", nodes.Items[n].Name, ipPort, expectedSuccess)
+-				err := testHTTPHealthCheckNodePortFromTestContainer(
+-					config,
+-					internalIP,
+-					healthCheckNodePort,
+-					e2eservice.KubeProxyEndpointLagTimeout,
+-					expectedSuccess,
+-					threshold)
 -				framework.ExpectNoError(err)
 -			}
 -			framework.ExpectNoError(e2erc.DeleteRCAndWaitForGC(f.ClientSet, namespace, serviceName))
@@ -1127,8 +1148,7 @@
 -		}
 -	})
 -
--	// TODO: Get rid of [DisabledForLargeClusters] tag when issue #90047 is fixed.
--	ginkgo.It("should handle updates to ExternalTrafficPolicy field [DisabledForLargeClusters]", func() {
+-	ginkgo.It("should handle updates to ExternalTrafficPolicy field", func() {
 -		namespace := f.Namespace.Name
 -		serviceName := "external-local-update"
 -		jig := e2eservice.NewTestJig(cs, namespace, serviceName)
@@ -1161,42 +1181,71 @@
 -			framework.Failf("Service HealthCheck NodePort still present")
 -		}
 -
--		endpointNodeMap, err := jig.GetEndpointNodes()
+-		epNodes, err := jig.ListNodesWithEndpoint()
 -		framework.ExpectNoError(err)
--		noEndpointNodeMap := map[string][]string{}
--		for _, n := range nodes.Items {
--			if _, ok := endpointNodeMap[n.Name]; ok {
--				continue
+-		// map from name of nodes with endpoint to internal ip
+-		// it is assumed that there is only a single node with the endpoint
+-		endpointNodeMap := make(map[string]string)
+-		// map from name of nodes without endpoint to internal ip
+-		noEndpointNodeMap := make(map[string]string)
+-		for _, node := range epNodes {
+-			ips := e2enode.GetAddresses(&node, v1.NodeInternalIP)
+-			if len(ips) < 1 {
+-				framework.Failf("No internal ip found for node %s", node.Name)
 -			}
--			noEndpointNodeMap[n.Name] = e2enode.GetAddresses(&n, v1.NodeExternalIP)
+-			endpointNodeMap[node.Name] = ips[0]
 -		}
+-		for _, n := range nodes.Items {
+-			ips := e2enode.GetAddresses(&n, v1.NodeInternalIP)
+-			if len(ips) < 1 {
+-				framework.Failf("No internal ip found for node %s", n.Name)
+-			}
+-			if _, ok := endpointNodeMap[n.Name]; !ok {
+-				noEndpointNodeMap[n.Name] = ips[0]
+-			}
+-		}
+-		framework.ExpectNotEqual(len(endpointNodeMap), 0)
+-		framework.ExpectNotEqual(len(noEndpointNodeMap), 0)
 -
 -		svcTCPPort := int(svc.Spec.Ports[0].Port)
 -		svcNodePort := int(svc.Spec.Ports[0].NodePort)
 -		ingressIP := e2eservice.GetIngressPoint(&svc.Status.LoadBalancer.Ingress[0])
 -		path := "/clientip"
+-		dialCmd := "clientip"
+-
+-		config := e2enetwork.NewNetworkingTestConfig(f, false, false)
 -
 -		ginkgo.By(fmt.Sprintf("endpoints present on nodes %v, absent on nodes %v", endpointNodeMap, noEndpointNodeMap))
--		for nodeName, nodeIPs := range noEndpointNodeMap {
--			ginkgo.By(fmt.Sprintf("Checking %v (%v:%v%v) proxies to endpoints on another node", nodeName, nodeIPs[0], svcNodePort, path))
--			GetHTTPContent(nodeIPs[0], svcNodePort, e2eservice.KubeProxyLagTimeout, path)
+-		for nodeName, nodeIP := range noEndpointNodeMap {
+-			ginkgo.By(fmt.Sprintf("Checking %v (%v:%v/%v) proxies to endpoints on another node", nodeName, nodeIP[0], svcNodePort, dialCmd))
+-			_, err := GetHTTPContentFromTestContainer(config, nodeIP, svcNodePort, e2eservice.KubeProxyLagTimeout, dialCmd)
+-			framework.ExpectNoError(err, "Could not reach HTTP service through %v:%v/%v after %v", nodeIP, svcNodePort, dialCmd, e2eservice.KubeProxyLagTimeout)
 -		}
 -
--		for nodeName, nodeIPs := range endpointNodeMap {
--			ginkgo.By(fmt.Sprintf("checking kube-proxy health check fails on node with endpoint (%s), public IP %s", nodeName, nodeIPs[0]))
--			var body bytes.Buffer
--			pollfn := func() (bool, error) {
--				result := e2enetwork.PokeHTTP(nodeIPs[0], healthCheckNodePort, "/healthz", nil)
--				if result.Code == 0 {
+-		for nodeName, nodeIP := range endpointNodeMap {
+-			ginkgo.By(fmt.Sprintf("checking kube-proxy health check fails on node with endpoint (%s), public IP %s", nodeName, nodeIP))
+-			var body string
+-			pollFn := func() (bool, error) {
+-				// we expect connection failure here, but not other errors
+-				resp, err := config.GetResponseFromTestContainer(
+-					"http",
+-					"healthz",
+-					nodeIP,
+-					healthCheckNodePort)
+-				if err != nil {
+-					return false, nil
+-				}
+-				if len(resp.Errors) > 0 {
 -					return true, nil
 -				}
--				body.Reset()
--				body.Write(result.Body)
+-				if len(resp.Responses) > 0 {
+-					body = resp.Responses[0]
+-				}
 -				return false, nil
 -			}
--			if pollErr := wait.PollImmediate(framework.Poll, e2eservice.TestTimeout, pollfn); pollErr != nil {
+-			if pollErr := wait.PollImmediate(framework.Poll, e2eservice.TestTimeout, pollFn); pollErr != nil {
 -				framework.Failf("Kube-proxy still exposing health check on node %v:%v, after ESIPP was turned off. body %s",
--					nodeName, healthCheckNodePort, body.String())
+-					nodeName, healthCheckNodePort, body)
 -			}
 -		}
 -
@@ -1243,9 +1292,9 @@
 -	})
 -})
 -
- func execSourceipTest(pausePod v1.Pod, serviceAddress string) (string, string) {
- 	var err error
- 	var stdout string
+ // execAffinityTestForSessionAffinityTimeout is a helper function that wrap the logic of
+ // affinity test for non-load-balancer services. Session afinity will be
+ // enabled when the service is created and a short timeout will be configured so
 diff --git a/test/e2e/network/service_providers.go b/test/e2e/network/service_providers.go
 new file mode 100644
 index 00000000000..b7eae6feb2c
@@ -2243,7 +2292,7 @@
  Copyright 2019 The Kubernetes Authors.
  
 diff --git a/test/e2e/scheduling/nvidia-gpus.go b/test/e2e/scheduling/nvidia-gpus.go
-index 334a6f5b9f6..59fbdee014b 100644
+index 313e773b8e2..bbf66b59aac 100644
 --- a/test/e2e/scheduling/nvidia-gpus.go
 +++ b/test/e2e/scheduling/nvidia-gpus.go
 @@ -1,3 +1,5 @@
@@ -2263,7 +2312,7 @@
  Copyright 2017 The Kubernetes Authors.
  
 diff --git a/test/e2e/storage/drivers/in_tree.go b/test/e2e/storage/drivers/in_tree.go
-index d5183f28081..de25e2cf007 100644
+index a866266c1f1..28e26a10c35 100644
 --- a/test/e2e/storage/drivers/in_tree.go
 +++ b/test/e2e/storage/drivers/in_tree.go
 @@ -38,10 +38,8 @@ package drivers
@@ -2291,7 +2340,7 @@
  	imageutils "k8s.io/kubernetes/test/utils/image"
  )
  
-@@ -1032,734 +1028,6 @@ func (e *emptydirDriver) PrepareTest(f *framework.Framework) (*testsuites.PerTes
+@@ -1044,734 +1040,6 @@ func (e *emptydirDriver) PrepareTest(f *framework.Framework) (*testsuites.PerTes
  	}, func() {}
  }
  
@@ -3865,7 +3914,7 @@
  
  		c = f.ClientSet
 diff --git a/test/e2e/storage/pd.go b/test/e2e/storage/pd.go
-index b6d720406aa..86fa0cae488 100644
+index f5b6060a834..addd304147c 100644
 --- a/test/e2e/storage/pd.go
 +++ b/test/e2e/storage/pd.go
 @@ -1,3 +1,5 @@
@@ -3875,7 +3924,7 @@
  Copyright 2015 The Kubernetes Authors.
  
 diff --git a/test/e2e/storage/persistent_volumes-gce.go b/test/e2e/storage/persistent_volumes-gce.go
-index 8b0343e4b58..76a80042811 100644
+index b8bc887384e..f572754c5e8 100644
 --- a/test/e2e/storage/persistent_volumes-gce.go
 +++ b/test/e2e/storage/persistent_volumes-gce.go
 @@ -1,3 +1,5 @@
@@ -3884,14 +3933,6 @@
  /*
  Copyright 2017 The Kubernetes Authors.
  
-@@ -18,6 +20,7 @@ package storage
- 
- import (
- 	"context"
-+
- 	"github.com/onsi/ginkgo"
- 	v1 "k8s.io/api/core/v1"
- 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 diff --git a/test/e2e/storage/regional_pd.go b/test/e2e/storage/regional_pd.go
 index 7763afaf6b1..a042dcc9d4a 100644
 --- a/test/e2e/storage/regional_pd.go
@@ -3910,6 +3951,37 @@
  	"github.com/onsi/ginkgo"
  	"github.com/onsi/gomega"
  
+diff --git a/test/e2e/storage/utils/BUILD b/test/e2e/storage/utils/BUILD
+index bdc78982dcb..c57ff325f76 100644
+--- a/test/e2e/storage/utils/BUILD
++++ b/test/e2e/storage/utils/BUILD
+@@ -7,7 +7,6 @@ go_library(
+     srcs = [
+         "create.go",
+         "deployment.go",
+-        "ebs.go",
+         "framework.go",
+         "host_exec.go",
+         "local.go",
+@@ -37,8 +36,6 @@ go_library(
+         "//test/e2e/framework/ssh:go_default_library",
+         "//test/e2e/framework/testfiles:go_default_library",
+         "//test/utils/image:go_default_library",
+-        "//vendor/github.com/aws/aws-sdk-go/aws:go_default_library",
+-        "//vendor/github.com/aws/aws-sdk-go/service/ec2:go_default_library",
+         "//vendor/github.com/onsi/ginkgo:go_default_library",
+         "//vendor/github.com/onsi/gomega:go_default_library",
+         "//vendor/github.com/pkg/errors:go_default_library",
+diff --git a/test/e2e/storage/utils/ebs.go b/test/e2e/storage/utils/ebs.go
+index 39e223f36aa..55065ea07b7 100644
+--- a/test/e2e/storage/utils/ebs.go
++++ b/test/e2e/storage/utils/ebs.go
+@@ -1,3 +1,5 @@
++// +build !providerless
++
+ /*
+ Copyright 2020 The Kubernetes Authors.
+ 
 diff --git a/test/e2e/storage/volume_provisioning.go b/test/e2e/storage/volume_provisioning.go
 index a8b494eb3ac..c070a81283c 100644
 --- a/test/e2e/storage/volume_provisioning.go
@@ -5070,16 +5142,6 @@
  /*
  Copyright 2018 The Kubernetes Authors.
  
-diff --git a/test/e2e/instrumentation/logging/imports.go b/test/e2e/instrumentation/logging/imports.go
-index 5dd66717db1..fc15c04bfef 100644
---- a/test/e2e/instrumentation/logging/imports.go
-+++ b/test/e2e/instrumentation/logging/imports.go
-@@ -1,3 +1,5 @@
-+// +build !providerless
-+
- /*
- Copyright 2017 The Kubernetes Authors.
-
---
-2.25.1
+-- 
+2.26.2
 
diff --git a/third_party/go/patches/k8s-kubernetes.patch b/third_party/go/patches/k8s-kubernetes.patch
index 158dcd7..0efaa37 100644
--- a/third_party/go/patches/k8s-kubernetes.patch
+++ b/third_party/go/patches/k8s-kubernetes.patch
@@ -16,8 +16,8 @@
 This fixes OpenAPI codegen for when included from the Monogon workspace. It basically undoes vendorification.
 
 diff -ur io_k8s_kubernetes.orig/build/code_generation.bzl io_k8s_kubernetes/build/code_generation.bzl
---- io_k8s_kubernetes.orig/build/code_generation.bzl	2020-04-15 13:43:57.785669620 +0200
-+++ io_k8s_kubernetes/build/code_generation.bzl	2020-04-16 18:19:44.297531873 +0200
+--- io_k8s_kubernetes.orig/build/code_generation.bzl	2021-01-26 12:10:52.593725692 +0100
++++ io_k8s_kubernetes/build/code_generation.bzl	2021-01-26 12:11:04.571786562 +0100
 @@ -27,6 +27,12 @@
          ...
      )
@@ -29,7 +29,7 @@
 +        path = parts[4]
 +        return "@io_k8s_%s//%s:go_default_library" % (project, path)
      return "//%s:go_default_library" % pkg
-
+ 
  def go_pkg(pkg):
 @@ -42,6 +48,8 @@
          ...
@@ -41,7 +41,7 @@
          if pkg.startswith(prefix):
              return paths.relativize(pkg, prefix)
 @@ -49,8 +57,8 @@
-
+ 
  def openapi_deps():
      deps = [
 -        "//vendor/github.com/go-openapi/spec:go_default_library",
@@ -68,12 +68,9 @@
 +        tools = ["@io_k8s_kube_openapi//cmd/openapi-gen"],
          message = "GenOpenAPI",
      )
-
-The rest rips out a bunch of volume providers. We're only interested in CSI and hostpath/local.
-
 diff -ur io_k8s_kubernetes.orig/cmd/kube-apiserver/app/options/globalflags.go io_k8s_kubernetes/cmd/kube-apiserver/app/options/globalflags.go
---- io_k8s_kubernetes.orig/cmd/kube-apiserver/app/options/globalflags.go	2020-04-15 13:43:57.811669689 +0200
-+++ io_k8s_kubernetes/cmd/kube-apiserver/app/options/globalflags.go	2020-04-17 13:29:41.578264893 +0200
+--- io_k8s_kubernetes.orig/cmd/kube-apiserver/app/options/globalflags.go	2021-01-26 12:10:52.605725751 +0100
++++ io_k8s_kubernetes/cmd/kube-apiserver/app/options/globalflags.go	2021-01-26 12:11:04.572786567 +0100
 @@ -32,9 +32,6 @@
  func AddCustomGlobalFlags(fs *pflag.FlagSet) {
  	// Lookup flags in global flag set and re-register the values with our flagset.
@@ -85,9 +82,9 @@
  	globalflag.Register(fs, "default-not-ready-toleration-seconds")
  	globalflag.Register(fs, "default-unreachable-toleration-seconds")
 diff -ur io_k8s_kubernetes.orig/cmd/kube-controller-manager/app/controllermanager.go io_k8s_kubernetes/cmd/kube-controller-manager/app/controllermanager.go
---- io_k8s_kubernetes.orig/cmd/kube-controller-manager/app/controllermanager.go	2020-04-15 13:43:57.812669692 +0200
-+++ io_k8s_kubernetes/cmd/kube-controller-manager/app/controllermanager.go	2020-04-17 13:30:39.975397151 +0200
-@@ -126,7 +126,6 @@
+--- io_k8s_kubernetes.orig/cmd/kube-controller-manager/app/controllermanager.go	2021-01-26 12:10:52.605725751 +0100
++++ io_k8s_kubernetes/cmd/kube-controller-manager/app/controllermanager.go	2021-01-26 12:11:04.572786567 +0100
+@@ -140,7 +140,6 @@
  	namedFlagSets := s.Flags(KnownControllers(), ControllersDisabledByDefault.List())
  	verflag.AddFlags(namedFlagSets.FlagSet("global"))
  	globalflag.AddGlobalFlags(namedFlagSets.FlagSet("global"), cmd.Name())
@@ -95,9 +92,10 @@
  	for _, f := range namedFlagSets.FlagSets {
  		fs.AddFlagSet(f)
  	}
+Only in io_k8s_kubernetes/cmd/kube-controller-manager/app: controllermanager.go.orig
 diff -ur io_k8s_kubernetes.orig/cmd/kube-controller-manager/app/plugins.go io_k8s_kubernetes/cmd/kube-controller-manager/app/plugins.go
---- io_k8s_kubernetes.orig/cmd/kube-controller-manager/app/plugins.go	2020-04-15 13:43:57.813669694 +0200
-+++ io_k8s_kubernetes/cmd/kube-controller-manager/app/plugins.go	2020-04-17 13:34:19.393894095 +0200
+--- io_k8s_kubernetes.orig/cmd/kube-controller-manager/app/plugins.go	2021-01-26 12:10:52.606725757 +0100
++++ io_k8s_kubernetes/cmd/kube-controller-manager/app/plugins.go	2021-01-26 12:11:04.572786567 +0100
 @@ -32,19 +32,9 @@
  	// Volume plugins
  	"k8s.io/kubernetes/pkg/volume"
@@ -188,8 +186,8 @@
  	if utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) {
  		allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
 diff -ur io_k8s_kubernetes.orig/cmd/kubectl/BUILD io_k8s_kubernetes/cmd/kubectl/BUILD
---- io_k8s_kubernetes.orig/cmd/kubectl/BUILD	2020-04-20 14:58:52.573455879 +0200
-+++ io_k8s_kubernetes/cmd/kubectl/BUILD	2020-04-20 14:56:41.199032687 +0200
+--- io_k8s_kubernetes.orig/cmd/kubectl/BUILD	2021-01-26 12:10:52.616725807 +0100
++++ io_k8s_kubernetes/cmd/kubectl/BUILD	2021-01-26 12:11:04.572786567 +0100
 @@ -3,7 +3,7 @@
      "go_binary",
      "go_library",
@@ -199,13 +197,9 @@
  
  go_binary(
      name = "kubectl",
-
-
-We also take the opportunity to remove azure/gcp auth.
-
 diff -ur io_k8s_kubernetes.orig/cmd/kubelet/app/options/globalflags.go io_k8s_kubernetes/cmd/kubelet/app/options/globalflags.go
---- io_k8s_kubernetes.orig/cmd/kubelet/app/options/globalflags.go	2020-04-15 13:43:57.827669732 +0200
-+++ io_k8s_kubernetes/cmd/kubelet/app/options/globalflags.go	2020-04-16 15:58:30.964945445 +0200
+--- io_k8s_kubernetes.orig/cmd/kubelet/app/options/globalflags.go	2021-01-26 12:10:52.617725812 +0100
++++ io_k8s_kubernetes/cmd/kubelet/app/options/globalflags.go	2021-01-26 12:12:03.724087183 +0100
 @@ -28,10 +28,6 @@
  	"k8s.io/component-base/logs"
  	"k8s.io/component-base/version/verflag"
@@ -217,7 +211,7 @@
  )
  
  // AddGlobalFlags explicitly registers flags that libraries (glog, verflag, etc.) register
-@@ -80,14 +76,8 @@
+@@ -80,12 +76,8 @@
  
  // addCredentialProviderFlags adds flags from k8s.io/kubernetes/pkg/credentialprovider
  func addCredentialProviderFlags(fs *pflag.FlagSet) {
@@ -225,16 +219,14 @@
 -	global := pflag.CommandLine
  	local := pflag.NewFlagSet(os.Args[0], pflag.ExitOnError)
  
--	// TODO(#58034): This is not a static file, so it's not quite as straightforward as --google-json-key.
--	// We need to figure out how ACR users can dynamically provide pull credentials before we can deprecate this.
--	pflagRegister(global, local, "azure-container-registry-config")
+-	addLegacyCloudProviderCredentialProviderFlags(global, local)
 -
  	fs.AddFlagSet(local)
  }
  
 diff -ur io_k8s_kubernetes.orig/cmd/kubelet/app/plugins.go io_k8s_kubernetes/cmd/kubelet/app/plugins.go
---- io_k8s_kubernetes.orig/cmd/kubelet/app/plugins.go	2020-04-15 13:43:57.827669732 +0200
-+++ io_k8s_kubernetes/cmd/kubelet/app/plugins.go	2020-04-16 16:10:13.366081373 +0200
+--- io_k8s_kubernetes.orig/cmd/kubelet/app/plugins.go	2021-01-26 12:10:52.617725812 +0100
++++ io_k8s_kubernetes/cmd/kubelet/app/plugins.go	2021-01-26 12:11:04.573786572 +0100
 @@ -19,8 +19,6 @@
  // This file exists to force the desired plugin implementations to be linked.
  import (
@@ -272,7 +264,7 @@
  
  	// Cloud providers
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers"
-@@ -64,30 +48,13 @@
+@@ -64,30 +50,13 @@
  	//
  	// Kubelet does not currently need to configure volume plugins.
  	// If/when it does, see kube-controller-manager/app/plugins.go for example of using volume.VolumeConfig
@@ -304,8 +296,8 @@
  	return allPlugins, nil
  }
 diff -ur io_k8s_kubernetes.orig/cmd/kubelet/BUILD io_k8s_kubernetes/cmd/kubelet/BUILD
---- io_k8s_kubernetes.orig/cmd/kubelet/BUILD	2020-04-15 13:43:57.827669732 +0200
-+++ io_k8s_kubernetes/cmd/kubelet/BUILD	2020-04-20 14:56:20.446965836 +0200
+--- io_k8s_kubernetes.orig/cmd/kubelet/BUILD	2021-01-26 12:10:52.616725807 +0100
++++ io_k8s_kubernetes/cmd/kubelet/BUILD	2021-01-26 12:11:04.573786572 +0100
 @@ -5,7 +5,7 @@
      go_binary = "go_binary_conditional_pure",
  )
@@ -316,9 +308,9 @@
  go_binary(
      name = "kubelet",
 diff -ur io_k8s_kubernetes.orig/pkg/controller/nodeipam/ipam/cidr_allocator.go io_k8s_kubernetes/pkg/controller/nodeipam/ipam/cidr_allocator.go
---- io_k8s_kubernetes.orig/pkg/controller/nodeipam/ipam/cidr_allocator.go	2020-04-15 13:43:57.860669820 +0200
-+++ io_k8s_kubernetes/pkg/controller/nodeipam/ipam/cidr_allocator.go	2020-04-17 13:18:36.157842990 +0200
-@@ -111,8 +111,6 @@
+--- io_k8s_kubernetes.orig/pkg/controller/nodeipam/ipam/cidr_allocator.go	2021-01-26 12:10:52.664726051 +0100
++++ io_k8s_kubernetes/pkg/controller/nodeipam/ipam/cidr_allocator.go	2021-01-26 12:11:04.573786572 +0100
+@@ -112,8 +112,6 @@
  	switch allocatorType {
  	case RangeAllocatorType:
  		return NewCIDRRangeAllocator(kubeClient, nodeInformer, allocatorParams, nodeList)
@@ -327,9 +319,10 @@
  	default:
  		return nil, fmt.Errorf("invalid CIDR allocator type: %v", allocatorType)
  	}
+Only in io_k8s_kubernetes/pkg/controller/nodeipam/ipam: cidr_allocator.go.orig
 diff -ur io_k8s_kubernetes.orig/pkg/controller/nodeipam/nolegacyprovider.go io_k8s_kubernetes/pkg/controller/nodeipam/nolegacyprovider.go
---- io_k8s_kubernetes.orig/pkg/controller/nodeipam/nolegacyprovider.go	2020-04-15 13:43:57.860669820 +0200
-+++ io_k8s_kubernetes/pkg/controller/nodeipam/nolegacyprovider.go	2020-04-17 13:27:12.440927122 +0200
+--- io_k8s_kubernetes.orig/pkg/controller/nodeipam/nolegacyprovider.go	2021-01-26 12:10:52.665726056 +0100
++++ io_k8s_kubernetes/pkg/controller/nodeipam/nolegacyprovider.go	2021-01-26 12:11:04.573786572 +0100
 @@ -1,5 +1,3 @@
 -// +build providerless
 -
@@ -337,39 +330,40 @@
  Copyright 2019 The Kubernetes Authors.
  
 diff -ur io_k8s_kubernetes.orig/pkg/kubelet/cadvisor/cadvisor_linux.go io_k8s_kubernetes/pkg/kubelet/cadvisor/cadvisor_linux.go
---- io_k8s_kubernetes.orig/pkg/kubelet/cadvisor/cadvisor_linux.go	2020-04-15 13:43:57.875669859 +0200
-+++ io_k8s_kubernetes/pkg/kubelet/cadvisor/cadvisor_linux.go	2020-04-15 18:24:28.683551309 +0200
-@@ -34,8 +34,6 @@
-
+--- io_k8s_kubernetes.orig/pkg/kubelet/cadvisor/cadvisor_linux.go	2021-01-26 12:10:52.676726112 +0100
++++ io_k8s_kubernetes/pkg/kubelet/cadvisor/cadvisor_linux.go	2021-01-26 12:11:04.573786572 +0100
+@@ -33,8 +33,6 @@
+ 
  	// Register cloud info providers.
  	// TODO(#68522): Remove this in 1.20+ once the cAdvisor endpoints are removed.
 -	_ "github.com/google/cadvisor/utils/cloudinfo/aws"
 -	_ "github.com/google/cadvisor/utils/cloudinfo/azure"
  	_ "github.com/google/cadvisor/utils/cloudinfo/gce"
-
+ 
  	"github.com/google/cadvisor/cache/memory"
-
---- io_k8s_kubernetes.orig/test/e2e/BUILD 2020-07-22 10:51:20.277358305 +0200
-+++ io_k8s_kubernetes/test/e2e/BUILD   2020-07-22 10:56:43.451577495 +0200
+Only in io_k8s_kubernetes/pkg/kubelet/cadvisor: cadvisor_linux.go.orig
+diff -ur io_k8s_kubernetes.orig/test/e2e/BUILD io_k8s_kubernetes/test/e2e/BUILD
+--- io_k8s_kubernetes.orig/test/e2e/BUILD	2021-01-26 12:10:52.736726417 +0100
++++ io_k8s_kubernetes/test/e2e/BUILD	2021-01-26 12:11:04.573786572 +0100
 @@ -5,7 +5,7 @@
      go_test = "go_test_conditional_pure",
  )
  load("@io_bazel_rules_go//go:def.bzl", "go_library")
 -load("//staging/src/k8s.io/component-base/version:def.bzl", "version_x_defs")
 +load("@//third_party/go:kubernetes_version_def.bzl", "version_x_defs")
-
+ 
  go_test(
      name = "go_default_test",
-
---- io_k8s_kubernetes.orig/test/e2e/generated/BUILD
-+++ io_k8s_kubernetes/test/e2e/generated/BUILD
-@@ -4,23 +4,24 @@ load(
+diff -ur io_k8s_kubernetes.orig/test/e2e/generated/BUILD io_k8s_kubernetes/test/e2e/generated/BUILD
+--- io_k8s_kubernetes.orig/test/e2e/generated/BUILD	2021-01-26 12:10:52.743726453 +0100
++++ io_k8s_kubernetes/test/e2e/generated/BUILD	2021-01-26 12:11:04.573786572 +0100
+@@ -4,23 +4,24 @@
      "@io_bazel_rules_go//go:def.bzl",
      "go_library",
  )
 -load("//build:bindata.bzl", "go_bindata")
 +load("@dev_source_monogon//build/bindata:bindata.bzl", "bindata")
-
+ 
  go_library(
      name = "go_default_library",
      srcs = [
@@ -385,14 +379,14 @@
          "@io_k8s_klog_v2//:go_default_library",
      ],
  )
-
+ 
 -# IMPORTANT: if you make any changes here, you must also update hack/generate-bindata.sh.
 -go_bindata(
 +bindata(
      name = "bindata",
      srcs = [
          "//test/conformance/testdata:all-srcs",
-@@ -29,9 +30,7 @@ go_bindata(
+@@ -29,9 +30,7 @@
          "//test/fixtures:all-srcs",
          "//test/images:all-srcs",
      ],
@@ -401,5 +395,5 @@
 -    include_metadata = False,
 +    package = "generated",
  )
-
+ 
  filegroup(
diff --git a/third_party/go/patches/k8s-revert-seccomp-runtime-default.patch b/third_party/go/patches/k8s-revert-seccomp-runtime-default.patch
new file mode 100644
index 0000000..d8377b5
--- /dev/null
+++ b/third_party/go/patches/k8s-revert-seccomp-runtime-default.patch
@@ -0,0 +1,48 @@
+Copyright 2020 The Monogon Project Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+From 2adf4ec9796839014a708761b8fb6ad815306def Mon Sep 17 00:00:00 2001
+From: Serge Bazanski <serge@nexantic.com>
+Date: Tue, 26 Jan 2021 11:37:01 +0100
+Subject: [PATCH] Manually revert 
+ https://github.com/kubernetes/kubernetes/pull/90949
+
+This reverts PR 90494 which breaks runc within Metropolis. See T916.
+
+---
+ pkg/kubelet/kuberuntime/kuberuntime_sandbox.go | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+index 0978044f753..c46436f2a41 100644
+--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
++++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+@@ -148,11 +148,8 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
+ 	lc := &runtimeapi.LinuxPodSandboxConfig{
+ 		CgroupParent: cgroupParent,
+ 		SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
+-			Privileged: kubecontainer.HasPrivilegedContainer(pod),
+-
+-			// Forcing sandbox to run as `runtime/default` allow users to
+-			// use least privileged seccomp profiles at pod level. Issue #84623
+-			SeccompProfilePath: v1.SeccompProfileRuntimeDefault,
++			Privileged:         kubecontainer.HasPrivilegedContainer(pod),
++			SeccompProfilePath: m.getSeccompProfile(pod.Annotations, "", pod.Spec.SecurityContext, nil),
+ 		},
+ 	}
+ 
+-- 
+2.26.2
+